Attachment policy implementation prevents other plugins from functioning correctly
|Reported by:||octo||Owned by:||Blackhex|
The ILegacyAttachmentPolicyDelegate implementation in api.py does not check the resource realm prior to doing its permission check. If this permission check fails, it has the side effect of preventing permission checks in other modules from even functioning at all. On my system, the side effect was that FullBlogPlugin was unable to display attachments for anonymous users (and disabling the DiscussionPlugin magically fixed it).
The current code is written as follows:
def check_attachment_permission(self, action, username, resource, perm): return perm.has_permission('DISCUSSION_ATTACH')
It should instead look something like this:
def check_attachment_permission(self, action, username, resource, perm): if resource.parent.realm == 'discussion': return perm.has_permission('DISCUSSION_ATTACH')